Category: Compliance
All blog posts in this category.
- 13 Apr, 2026
GDPR audience measurement: the CNIL framework to understand before choosing a tool
Audience measurement is no longer just a tooling decision. It is a governance decision. An SMB may legitimately want to understand pages, sources and simple conversions without turning its website into a heavy marketing stack. That is a reasonable goal. The mistake is to turn a privacy-first product choice into a blanket legal promise. The CNIL framework is more specific. It describes conditions under which strictly limited audience measurement can, in some cases, be implemented with a lighter consent burden. That position depends on the real purpose, configuration, retention period, absence of cross-use, provider role and visitor information. The useful question is therefore not "which tool removes all legal work?". The useful question is: does my actual setup remain within a documented, minimal and verifiable audience-measurement perimeter? What the CNIL framework says The CNIL explains that traffic and performance statistics can be necessary for operating a website or application. It therefore describes a limited perimeter for audience-measurement trackers, provided the purpose stays strictly focused on the site or app audience and is carried out for the publisher's exclusive account. The framework excludes uses that combine the data with other processing, send non-anonymous data to third parties, or follow a person globally across several websites or applications. The CNIL also recommends informing users, limiting tracker lifetime, capping retention for collected information and periodically reviewing those periods. It provides a self-assessment tool to help vendors document their analysis. That nuance matters. Self-assessment is not certification, and it does not prejudge what the CNIL could conclude during an investigation. Site publishers still need a cautious, documented reading of their setup. The criteria that should guide the choice Before choosing an analytics solution, check these points first. 1. Strictly limited purpose Collection should help understand traffic, performance, content viewed or navigation issues. If the same tool is used for retargeting, advertising activation, profiling or CRM enrichment, the setup no longer fits a minimal audience-measurement perimeter. 2. No vendor reuse The provider should process data for your account. Reuse for the provider's own services, advertising, global benchmarks or loosely governed product improvement increases risk. 3. No cross-site tracking An identifier shared across several publishers or domains to follow global browsing behavior is incompatible with minimal audience measurement. 4. Statistical data and limited retention The logic should remain aggregated and proportionate. Retention periods should be limited and reviewed. Raw or pseudonymized records should not become a permanent marketing archive. 5. Clear visitor information Even when a lighter collection setup is possible, visitors still need clear information. The privacy policy should explain what is collected, why, for how long, by whom and how rights can be exercised. Strict and Extended: a useful product separation For privacy-first analytics, separating a minimal mode from an enriched mode is clearer than offering one vague switch. Strict should cover the core needs: page views, readable sources when available without enrichment, volumes, trends and simple conversions. It should minimize fields and avoid data that is not necessary for the stated purpose. Extended should be explicit. It can support richer needs: detailed UTM campaigns, advanced events, goals, technical context, segmentation or multi-site analysis. Those uses can be legitimate, but they should be treated as configuration choices, not as the silent default. This distinction helps product teams, DPOs, marketers and clients talk about the same operational reality. The checklist before publishing Before presenting your analytics setup as launch-ready, document at least:the exact measurement purpose; the fields collected in Strict; the fields added in Extended; retention periods; absence of cross-use with other processing; potential transfers and contractual basis; the updated privacy policy; the internal or vendor analysis based on CNIL sources; the profile-change procedure; the owner who approves collection changes.This documentation does not replace legal review, but it prevents marketing copy from becoming operational debt. What Pomelo should promise publicly The strongest position is not an absolute claim. It is a controlled product promise:cookieless by default; minimal collection; clear documentation of collected fields; explicit Extended configuration when teams need richer detail.That is more durable than a slogan. European SMBs, B2B SaaS teams and multi-site digital teams need analytics that is readable, governable and stable over time. Sources Sources checked on May 9, 2026.CNIL, Cookies and audience measurement solutions CNIL, audience-measurement self-assessment tool, July 2025 Article 82 of the French Data Protection Act